I.T. Security and Linux Administration

May 31 2013   12:23PM GMT

Leaking information through API



Posted by: Eric Hansen
Tags:
security

I’ll be honest, I was torn on whether to post about this or not.  On one hand its perfect for this blog as it mentions security…on the other hand, it kind of opens up new doors for stalkers.  But, here I go.

I’ve never heard of this service before, but apparently there’s a social media website out there called Skout, which basically is a 4square service for meeting up.  There was a recent article though on a blog (http://corte.si/posts/security/skout/index.html) that mentioned that Skout was sending back more in the API than they should.  Namely the concern was the geographical coordinates of the user (longitude and latitude).

This issue has been resolved, but it got me wondering, what other services leak such sensitive information?  I know Facebook’s tagging system works by ID, but what about when its trying to find your location?  It goes through your phone’s GPS system, that’s sent over the air, nothing is saying that the data is encrypted.  Its one reason why I prefer open-source, but that’s a different topic.

When you create an API for your service, whether it be web or not, you have to consider what you are returning as well as receiving.  If you’re going to just dump the records into a JSON object and return it, then why not just let the user have free reign over your server?  You’re essentially doing the same thing.  Not to mention, returning only what you need speeds up the process.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: